"""
auth.py — Authentication decorators and current-user helpers.
"""
from functools import wraps
from db import q, app, MANAGER_ROLES  # noqa: F401 — app re-exported for passenger_wsgi
from flask import session, request, redirect, url_for, jsonify, flash


def login_required(f):
    @wraps(f)
    def decorated(*args, **kwargs):
        if 'user_id' not in session:
            return redirect(url_for('login'))
        return f(*args, **kwargs)
    return decorated


def _user_has_role(user_role, required_roles):
    """Return True if user_role is in required_roles, OR if the user has a
    custom_role whose permissions list includes at least one of the required roles."""
    if user_role in required_roles:
        return True
    try:
        cr = q("SELECT permissions FROM custom_roles WHERE role_key=?", (user_role,), one=True)
        if cr and cr['permissions']:
            custom_perms = {p.strip() for p in cr['permissions'].split(',') if p.strip()}
            return bool(custom_perms.intersection(set(required_roles)))
    except Exception as _e:
        import sys; print(f"ROLE CHECK DB error: {_e}", file=sys.stderr)
    return False


def role_required(*roles):
    def decorator(f):
        @wraps(f)
        def decorated(*args, **kwargs):
            if not _user_has_role(session.get('role', ''), roles):
                if request.path.startswith('/api/'):
                    return jsonify({'error': 'Unauthorized'}), 403
                flash("You do not have permission to access that page.")
                return redirect(url_for('dashboard'))
            return f(*args, **kwargs)
        return decorated
    return decorator


def current_user():
    if 'user_id' not in session:
        return None
    return q("SELECT * FROM users WHERE id=?", (session['user_id'],), one=True)


def is_manager(): return session.get('role') in MANAGER_ROLES
def is_gm():      return session.get('role') == 'general_manager'